{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T00:42:50Z","timestamp":1759970570741,"version":"build-2065373602"},"reference-count":38,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2025,1,29]],"date-time":"2025-01-29T00:00:00Z","timestamp":1738108800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Humanities and Social Science Foundation of the Ministry of Education of China","award":["22YJC630214","71801125","23GLLC015"],"award-info":[{"award-number":["22YJC630214","71801125","23GLLC015"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["22YJC630214","71801125","23GLLC015"],"award-info":[{"award-number":["22YJC630214","71801125","23GLLC015"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Jiangsu Social Science Foundation","award":["22YJC630214","71801125","23GLLC015"],"award-info":[{"award-number":["22YJC630214","71801125","23GLLC015"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Systems"],"abstract":"<jats:p>With an increasing number of firms in cybersecurity information-sharing platforms, the potential cyber risks become a critical challenge during the exchanging of information. How to balance economic benefits and security requirements is an important topic for both firms and the government. By developing a game-theoretic model, the firms\u2019 optimal strategies are discussed considering their absorptive capacity for security information under different policy constrains. The results show that the value of security information, intrusion loss, the level of cybersecurity vulnerability, the negative impact coefficient of platform security information disclosure, and the absorptive capacity for security information are key factors impacting firms\u2019 decisions. The value of security information and intrusion loss are constrained by the marginal utility of cybersecurity investment and security information sharing. Firms prefer to increase their security investment or security information sharing only if the value of security information and intrusion loss are positively related to the marginal utility of cybersecurity investment or cybersecurity information sharing. Specifically, in the case without policy constrains, the optimal strategies of n firms are discussed, and it is found that they are consistent with those of two firms and that the utility of any firm in the platform decreases as the number of firms increases.<\/jats:p>","DOI":"10.3390\/systems13020083","type":"journal-article","created":{"date-parts":[[2025,1,29]],"date-time":"2025-01-29T04:36:18Z","timestamp":1738125378000},"page":"83","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Economics of Cybersecurity Investment and Information Sharing: Firm Decision Making Under Policy Constraints"],"prefix":"10.3390","volume":"13","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1079-6183","authenticated-orcid":false,"given":"Liurong","family":"Zhao","sequence":"first","affiliation":[{"name":"School of Economics and Management, Nanjing Tech University, Nanjing 211816, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xinshuo","family":"Wu","sequence":"additional","affiliation":[{"name":"School of Economics and Management, Nanjing Tech University, Nanjing 211816, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jiao","family":"Li","sequence":"additional","affiliation":[{"name":"School of Economics and Management, Nanjing Tech University, Nanjing 211816, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Huagang","family":"Tong","sequence":"additional","affiliation":[{"name":"School of Economics and Management, Nanjing Tech University, Nanjing 211816, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2025,1,29]]},"reference":[{"key":"ref_1","unstructured":"(2020). An Empirical Study on Flow-Based Botnet Attacks Prediction (Standard No. NIST Technical Note 2111)."},{"key":"ref_2","unstructured":"European Union (EU) (2023, February 08). The NIS2 Directive A High Common Level of Cybersecurity in the EU: EU Legislation in Progress. Available online: https:\/\/cn.overleaf.com\/project\/679849c8c118b5046c722ba3."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"436","DOI":"10.1016\/j.future.2021.05.033","article-title":"Economic model for evaluating the value creation through information sharing within the cybersecurity information sharing ecosystem","volume":"124","author":"Rashid","year":"2021","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"799","DOI":"10.1080\/01605682.2023.2210594","article-title":"Information sharing and security investment for substitutable firms: A game-theoretic analysis","volume":"75","author":"Gao","year":"2024","journal-title":"J. Oper. Res. Soc."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"155","DOI":"10.1108\/09685221111153546","article-title":"Impacts of organizational capabilities in information security","volume":"19","author":"Hall","year":"2011","journal-title":"Inf. Manag. Comput. Secur."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"461","DOI":"10.1016\/j.jaccpubpol.2003.09.001","article-title":"Sharing information on computer systems security: An economic analysis","volume":"22","author":"Gordon","year":"2003","journal-title":"J. Account. Public Policy"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Stine, K., Quinn, S., Witte, G., and Gardner, R. (2020). Integrating Cybersecurity and Firm Risk Management (erm) (Standard No. NIST IR 8286).","DOI":"10.6028\/NIST.IR.8286-draft2"},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"186","DOI":"10.1287\/isre.1050.0053","article-title":"The economic incentives for sharing security information","volume":"16","author":"Ghose","year":"2005","journal-title":"Inf. Syst. Res."},{"key":"ref_9","unstructured":"Lewis, R., Louvieris, P., Abbott, P., Clewley, N., and Jones, K. (2014, January 9\u201311). Cybersecurity information sharing: A framework for sustainable information. Proceedings of the Twenty Second European Conference on Information Systems, Tel Aviv, Israel."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"215","DOI":"10.1111\/risa.12878","article-title":"Perspectives on cybersecurity information sharing among multiple stakeholders using a decision-theoretic approach","volume":"38","author":"He","year":"2018","journal-title":"Risk Anal."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"509","DOI":"10.1016\/j.jaccpubpol.2015.05.001","article-title":"The impact of information sharing on cybersecurity underinvestment: A real options perspective","volume":"34","author":"Gordon","year":"2015","journal-title":"J. Account. Public Policy"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Naghizadeh, P., and Liu, M. (February, January 31). Inter-temporal incentives in security information sharing agreements. Proceedings of the 2016 Information Theory and Applications Workshop (ITA), La Jolla, CA, USA.","DOI":"10.1109\/ITA.2016.7888179"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"639","DOI":"10.1016\/j.jaccpubpol.2007.10.001","article-title":"Information sharing among firms and cyber attacks","volume":"26","author":"Hausken","year":"2007","journal-title":"J. Account. Public Policy"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"95","DOI":"10.1016\/j.dss.2011.05.007","article-title":"Knowledge sharing and investment decisions in information security","volume":"52","author":"Liu","year":"2011","journal-title":"Decis. Support."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"423","DOI":"10.1007\/s10796-013-9411-3","article-title":"Security investment and information sharing under an alternative security breach probability function","volume":"17","author":"Gao","year":"2015","journal-title":"Inf. Syst. Front."},{"key":"ref_16","unstructured":"Goodwin, C., Nicholas, J.P., Bryant, J., McKay, A., Ciglic, K., McKitrick, P., Kleiner, A., Neutze, J., Kutterer, C., and Storch, T. (2015). A Framework for Cybersecurity Information Sharing and Risk Reduction, Microsoft."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Johnson, C., Badger, L., Waltermire, D., Snyder, J., and Skorupka, C. (2016). NIST Special Publication 800-150, Guide to Cyber Threat Information Sharing.","DOI":"10.6028\/NIST.SP.800-150"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"550","DOI":"10.1080\/01969722.2013.818433","article-title":"Comprehensive approach to information sharing for increased network security and survivability","volume":"44","year":"2013","journal-title":"Cybern. Syst."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"106","DOI":"10.1007\/s00502-015-0289-2","article-title":"Cyber security information exchange to gain insight into the effects of cyber threats and incidents","volume":"132","author":"Fransen","year":"2015","journal-title":"Elektrotech. Informationstechnik"},{"key":"ref_20","first-page":"20","article-title":"Consideration of Data Security and Privacy Using Machine Learning Techniques","volume":"2","author":"Phan","year":"2023","journal-title":"Int. J. Data Inform. Intell. Comput."},{"key":"ref_21","first-page":"11","article-title":"Information Security: A Coordinated Strategy to Guarantee Data Security in Cloud Computing","volume":"2","author":"Jones","year":"2023","journal-title":"Int. J. Data Inform. Intell. Comput."},{"key":"ref_22","first-page":"1","article-title":"Advancing Cyber Resilience for Autonomous Systems with Novel AI-based Intrusion Prevention Model","volume":"3","author":"Krishna","year":"2024","journal-title":"Int. J. Data Inform. Intell. Comput."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Rantos, K., Spyros, A., Papanikolaou, A., Kritsas, A., Ilioudis, C., and Katos, V. (2020). Interoperability challenges in the cybersecurity information sharing ecosystem. Computers, 9.","DOI":"10.3390\/computers9010018"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Tosh, D.K., Shetty, S., Sengupta, S., Kesan, J.P., and Kamhoua, C.A. (2017). Risk management using cyber-threat information sharing and cyber-insurance. Game Theory for Networks, Proceedings of the 7th International EAI Conference, GameNets 2017, Knoxville, TN, USA, 9 May 2017, Springer.","DOI":"10.2139\/ssrn.3475640"},{"key":"ref_25","unstructured":"Harwood, D.I., and Dahl, E. (2014). Barriers to Cyber Information Sharing. [Master\u2019s Thesis, Naval Postgraduate School]. Available online: https:\/\/core.ac.uk\/download\/pdf\/36736706.pdf."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"265","DOI":"10.1080\/23738871.2016.1229804","article-title":"Trust and information sharing: Isacs and us policy","volume":"1","author":"Kollars","year":"2016","journal-title":"J. Cyber Policy"},{"key":"ref_27","unstructured":"Prieto, D.B. (2016). Information sharing with the private sector. History, challenges, innovation, and prospects. Seeds of Disaster, Roots of Response: How Private Action Can Reduce Public Vulnerability, Cambridge University Press."},{"key":"ref_28","unstructured":"Zheng, D.E., and Lewis, J.A. (2015). Cyber Threat Information Sharing: Recommendations for Congress and the Administration, Center for Strategic and International Studies."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Tosh, D.K., Sengupta, S., Mukhopadhyay, S., Kamhoua, C.A., and Kwiat, K.A. (2015, January 3\u20135). Game theoretic modeling to enforce security information sharing among firms. Proceedings of the 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing, New York, NY, USA.","DOI":"10.1109\/CSCloud.2015.81"},{"key":"ref_30","first-page":"45","article-title":"A game theory method to cyber-threat information sharing in cloud computing technology","volume":"11","author":"Amini","year":"2023","journal-title":"Int. J. Inf. Syst. Manag. Syst."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"293","DOI":"10.5195\/TLP.2014.146","article-title":"A voluntary cybersecurity framework is unworkable-government must crack the whip","volume":"14","author":"Gyenes","year":"2013","journal-title":"Pittsburgh J. Technol. Law Policy"},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.cie.2017.05.018","article-title":"Decisions making in information security outsourcing: Impact of complementary and substitutable firms","volume":"110","author":"Wu","year":"2017","journal-title":"Comput. Ind. Eng."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"1791","DOI":"10.1111\/itor.12972","article-title":"A game of information security investment considering security insurance and complementary information assets","volume":"29","author":"Qian","year":"2021","journal-title":"Int. Trans. Oper. Res."},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"747","DOI":"10.1057\/s41274-017-0263-y","article-title":"Comparison of information security decisions under different security and business environments","volume":"69","author":"Wu","year":"2018","journal-title":"J. Oper. Res. Soc."},{"key":"ref_35","first-page":"94","article-title":"Information security strategy choices of competing firms: Autonomous defence or outsourcing","volume":"42","author":"Zhao","year":"2019","journal-title":"Inf. Stud. Theory Appl."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"4069","DOI":"10.1080\/00207543.2017.1400704","article-title":"A new game of information sharing and security investment between two allied firms","volume":"56","author":"Qian","year":"2018","journal-title":"Int. J. Prod. Res."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"1306","DOI":"10.1002\/mde.3310","article-title":"An economic analysis of information security investment decision making for substitutable firms","volume":"42","author":"Li","year":"2021","journal-title":"Manag. Decis. Econ."},{"key":"ref_38","unstructured":"Freebuf (2024, November 12). 2024 China Data Security Enterprise Panorama. Available online: https:\/\/www.freebuf.com\/consult\/415083.html."}],"container-title":["Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2079-8954\/13\/2\/83\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,8]],"date-time":"2025-10-08T10:38:10Z","timestamp":1759919890000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2079-8954\/13\/2\/83"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,1,29]]},"references-count":38,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2025,2]]}},"alternative-id":["systems13020083"],"URL":"https:\/\/doi.org\/10.3390\/systems13020083","relation":{},"ISSN":["2079-8954"],"issn-type":[{"type":"electronic","value":"2079-8954"}],"subject":[],"published":{"date-parts":[[2025,1,29]]}}}